Follow-Up on FOIA Exemption

For years, corporate executives were clamoring for an exemption to the Freedom of Information Act (FOIA) to reassure them that information they shared with the federal government about critical infrastructure protection stayed with the federal government. (See “Everything You Ever Wanted to Know About FOIA,” November 2002.) On Nov. 25, when President Bush signed legislation creating the Department of Homeland Security, they got their wish.

A small section of the new law protects voluntarily submitted information regarding “the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution or other informational purpose” from public requests submitted under FOIA. More controversially, it also stipulates that the department not use the information in any civil action without the written consent of the entity that submitted the information.

“I know there have been some concerns about it going too far, but I don’t view it that way,” says Bruce Bonsall, CISO of MassMutual. Although it’s too soon for the law to have had any impact just yet, he says that eventually, “it’ll make the private sector that much more comfortable in sharing information about threats and vulnerabilities with the government, and we absolutely need to do that to protect the critical infrastructure.”

If companies do decide to share information, they’ll have to label it carefully. For protection, the person or entity submitting the information must provide written notice stating, “This information is voluntarily submitted to the federal government in expectation of protection from disclosure as provided by the Critical Infrastructure Information Act of 2002.”